CVSS: 9.7EPSS: 0%CPEs: 4EXPL: 1CVE-2024-24820 – Icinga Director configuration is susceptible to Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2024-24820
09 Feb 2024 — Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against cross site request forgery (CSRF). It enables attackers to perform changes in the monitoring environment managed by Icinga Director without the awareness of the victim. Users of the map module in version 1.x, should immediately upgrade to v2.0. The mentioned XSS vulnerabilities in Icinga Web are already fixed as ... • https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16882 – Gentoo Linux Security Advisory 202007-31
https://notcve.org/view.php?id=CVE-2017-16882
18 Nov 2017 — Icinga Core through 1.14.0 initially executes bin/icinga as root but supports configuration options in which this file is owned by a non-root account (and similarly can have etc/icinga.cfg owned by a non-root account), which allows local users to gain privileges by leveraging access to this non-root account, a related issue to CVE-2017-14312. This also affects bin/icingastats, bin/ido2db, and bin/log2ido. Icinga Core hasta la versión 1.14.0 ejecuta inicialmente bin/icinga como root, pero es compatible con o... • https://github.com/Icinga/icinga-core/issues/1601 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2015-8010
https://notcve.org/view.php?id=CVE-2015-8010
27 Mar 2017 — Cross-site scripting (XSS) vulnerability in the Classic-UI with the CSV export link and pagination feature in Icinga before 1.14 allows remote attackers to inject arbitrary web script or HTML via the query string to cgi-bin/status.cgi. Vulnerabilidad de XSS en el Classic-UI con el enlace de exportación CSV y la funcionalidad de paginación en Icinga en versiones anteriores a 1.14 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la cadena de consulta a cgi-bin/sta... • http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00019.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0CVE-2014-2386 – Debian Security Advisory 2956-1
https://notcve.org/view.php?id=CVE-2014-2386
25 Mar 2014 — Multiple off-by-one errors in Icinga, possibly 1.10.2 and earlier, allow remote attackers to cause a denial of service (crash) via unspecified vectors to the (1) display_nav_table, (2) print_export_link, (3) page_num_selector, or (4) page_limit_selector function in cgi/cgiutils.c or (5) status_page_num_selector function in cgi/status.c, which triggers a stack-based buffer overflow. Múltiples errores de superación de límite (off-by-one) en Icinga, posiblemente 1.10.2 y anteriores, permiten a atacantes remoto... • http://comments.gmane.org/gmane.comp.security.oss.general/12355 • CWE-189: Numeric Errors •
CVSS: 8.1EPSS: 4%CPEs: 20EXPL: 0CVE-2014-1878 – Debian Security Advisory 2956-1
https://notcve.org/view.php?id=CVE-2014-1878
28 Feb 2014 — Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi. Desbordamiento de buffer basado en pila en la función cmd_submitf en cgi/cmd.c en Nagios Core, posiblemente 4.0.3rc1 y anteriores e Icinga anterior a 1.8.6, 1.9 anterior a 1.9.5 y 1.10 anterior a 1.10.3 permite a atacantes re... • http://lists.opensuse.org/opensuse-updates/2014-04/msg00033.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 8.8EPSS: 0%CPEs: 38EXPL: 0CVE-2013-7107 – Debian Security Advisory 2956-1
https://notcve.org/view.php?id=CVE-2013-7107
14 Jan 2014 — Cross-site request forgery (CSRF) vulnerability in cmd.cgi in Icinga 1.8.5, 1.9.4, 1.10.2, and earlier allows remote attackers to hijack the authentication of users for unspecified commands via unspecified vectors, as demonstrated by bypassing authentication requirements for CVE-2013-7106. Vulnerabilidad de cross-site request forgery (CSRF) en cmd.cgi en Icinga 1.8.5, 1.9.4, 1.10.2 y anteriores, permite a atacantes secuestrar la autenticación de usuarios en comandos no especificados a través de vectores no ... • http://lists.opensuse.org/opensuse-updates/2014-02/msg00061.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 1%CPEs: 35EXPL: 0CVE-2013-7106 – Debian Security Advisory 2956-1
https://notcve.org/view.php?id=CVE-2013-7106
14 Jan 2014 — Multiple stack-based buffer overflows in Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long string to the (1) display_nav_table, (2) page_limit_selector, (3) print_export_link, or (4) page_num_selector function in cgi/cgiutils.c; (5) status_page_num_selector function in cgi/status.c; or (6) display_command_expansion function in cgi/config.c. NOTE: this can be exploited without auth... • http://www.openwall.com/lists/oss-security/2013/12/16/4 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 8.1EPSS: 91%CPEs: 71EXPL: 1CVE-2013-7108 – Icinga - cgi/config.c process_cgivars Function Off-by-One Read Remote Denial of Service
https://notcve.org/view.php?id=CVE-2013-7108
14 Jan 2014 — Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (1... • https://www.exploit-db.com/exploits/38882 • CWE-20: Improper Input Validation •